
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 2.1.15 版本发行说明 &#8212; Django 3.2.11.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django 2.1.14 版本发行说明" href="2.1.14.html" />
    <link rel="prev" title="Django 2.2 版本发行说明" href="2.2.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.11.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="2.2.html" title="Django 2.2 版本发行说明">previous</a>
     |
    <a href="index.html" title="发行说明" accesskey="U">up</a>
   |
    <a href="2.1.14.html" title="Django 2.1.14 版本发行说明">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-2.1.15">
            
  <div class="section" id="s-django-2-1-15-release-notes">
<span id="django-2-1-15-release-notes"></span><h1>Django 2.1.15 版本发行说明<a class="headerlink" href="#django-2-1-15-release-notes" title="永久链接至标题">¶</a></h1>
<p><em>December 2, 2019</em></p>
<p>Django 2.1.15 fixes a security issue and a data loss bug in 2.1.14.</p>
<div class="section" id="s-cve-2019-19118-privilege-escalation-in-the-django-admin">
<span id="cve-2019-19118-privilege-escalation-in-the-django-admin"></span><h2>CVE-2019-19118: Privilege escalation in the Django admin.<a class="headerlink" href="#cve-2019-19118-privilege-escalation-in-the-django-admin" title="永久链接至标题">¶</a></h2>
<p>Since Django 2.1, a Django model admin displaying a parent model with related
model inlines, where the user has view-only permissions to a parent model but
edit permissions to the inline model, would display a read-only view of the
parent model but editable forms for the inline.</p>
<p>Submitting these forms would not allow direct edits to the parent model, but
would trigger the parent model's <code class="docutils literal notranslate"><span class="pre">save()</span></code> method, and cause pre and post-save
signal handlers to be invoked. This is a privilege escalation as a user who
lacks permission to edit a model should not be able to trigger its save-related
signals.</p>
<p>To resolve this issue, the permission handling code of the Django admin
interface has been changed. Now, if a user has only the &quot;view&quot; permission for a
parent model, the entire displayed form will not be editable, even if the user
has permission to edit models included in inlines.</p>
<p>This is a backwards-incompatible change, and the Django security team is aware
that some users of Django were depending on the ability to allow editing of
inlines in the admin form of an otherwise view-only parent model.</p>
<p>Given the complexity of the Django admin, and in-particular the permissions
related checks, it is the view of the Django security team that this change was
necessary: that it is not currently feasible to maintain the existing behavior
while escaping the potential privilege escalation in a way that would avoid a
recurrence of similar issues in the future, and that would be compatible with
Django's <em>safe by default</em> philosophy.</p>
<p>For the time being, developers whose applications are affected by this change
should replace the use of inlines in read-only parents with custom forms and
views that explicitly implement the desired functionality. In the longer term,
adding a documented, supported, and properly-tested mechanism for
partially-editable multi-model forms to the admin interface may occur in Django
itself.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>漏洞修复<a class="headerlink" href="#bugfixes" title="永久链接至标题">¶</a></h2>
<ul class="simple">
<li>Fixed a data loss possibility in the
<a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.select_for_update" title="django.db.models.query.QuerySet.select_for_update"><code class="xref py py-meth docutils literal notranslate"><span class="pre">select_for_update()</span></code></a>. When using
<code class="docutils literal notranslate"><span class="pre">'self'</span></code> in the <code class="docutils literal notranslate"><span class="pre">of</span></code> argument with <a class="reference internal" href="../topics/db/models.html#multi-table-inheritance"><span class="std std-ref">multi-table inheritance</span></a>, a parent model was locked instead of the
queryset's model (<a class="reference external" href="https://code.djangoproject.com/ticket/30953">#30953</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 2.1.15 版本发行说明</a><ul>
<li><a class="reference internal" href="#cve-2019-19118-privilege-escalation-in-the-django-admin">CVE-2019-19118: Privilege escalation in the Django admin.</a></li>
<li><a class="reference internal" href="#bugfixes">漏洞修复</a></li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="2.2.html"
                        title="上一章">Django 2.2 版本发行说明</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="2.1.14.html"
                        title="下一章">Django 2.1.14 版本发行说明</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/2.1.15.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">12月 07, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="2.2.html" title="Django 2.2 版本发行说明">previous</a>
     |
    <a href="index.html" title="发行说明" accesskey="U">up</a>
   |
    <a href="2.1.14.html" title="Django 2.1.14 版本发行说明">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>